In many applications, it can be useful to employ means for verifying the integrity of a system by interrogating the components it is composed of. For example, a weapon system may require components to be internally validated during a boot process, or a vehicle may validate critical electronic control units on startup. Prior art typically accomplishes the verification of a component through a demonstration that it possesses a secret value, for example, through a zero knowledge proof of knowledge. This method of verification, however, may be associated with one or more constraints relating to hardware integrity or the security of private information. As to hardware integrity, existing component authentication protocols only verify that an entity possesses a private value, and typically just infer hardware integrity if the device has a physical construction designed to deter tampering (e.g., a hardware security module). Even with a tamper resistant physical construction, the integrity of the physical construction is not inextricably linked to the integrity of the device itself. As to the security of private information, existing component authentication protocols require that the component store and protect private information (typically a private key for cryptographic authentication protocols). If the private information is compromised, it may be possible for an adversary to masquerade as a valid component in the larger system.
Asim et al. (“Physical Unclonable Functions and Their Applications to Vehicle System Security,” Vehicular Technology Conference, VTC Spring 2009, IEEE 69th) discusses using PUFs in vehicle components as a method for regenerating private keys, which is a well-known application. However, they fail to give an enabling construction allowing a system-wide identity to be constructed from each of the individual components.
Rigaud (editor) in “D3.1 Report on Protocol choice and implementation,” Holistic Approaches for Integrity of ICT-Systems (2014) describes applying PUFs to chips as a method for authenticating a chip (the device-under-test) to the testing equipment, which could detect fake chips. However, there is no construction that would enable a system-wide identity to be constructed from each of the individual chips.
Ibrahim et al. (“Cyber-physical security using system-level pufs,” Wireless Communications and Mobile Computing Conference (IWCMC), 2011 7th Int'l, IEEE) discusses the general concept of combining PUFs from distinct system components to form a combined identity, but they fail to give an enabling construction. In their concluding remarks, the authors specifically state that they lack a realized solution.
Peeters (“Security Architecture for Things That Think,” Diss. Ph. D. thesis, KU Leuven, June 2012) describes using a PUF in resource-constrained devices for regenerating a share from an external threshold system composed of a user's devices. The PUF is applied solely as a storage mechanism, eliminating the need to store the share in plaintext on the device. However, no internal threshold application is given, nor is the challenge-helper pair ever refreshed.
Krzywiecki et al. (“Coalition resistant anonymous broadcast encryption scheme based on PUF,” Trust and Trustworthy Computing. Springer Berlin Heidelberg, 2011, 48-62) describe a broadcast encryption scheme where subscribers must invoke a PUF-enabled card to regenerate shares of a threshold system. The construction requires an incorruptible distributor to store and protect raw PUF output. The system is designed to allow an end device to recover a symmetric key only if it has not been revoked by the broadcaster. The PUF-enabled receiving device must construct the full symmetric key from its shares in order to decrypt the incoming transmission. No internal threshold application is given, nor is the challenge-helper pair ever refreshed.
Khoshroo et al. (“Design and Evaluation of FPGA-based Hybrid Physically Unclonable Functions,” Diss. Western University London, 2013) describe a modified secret sharing scheme, where each player's share is a challenge-helper pair generated from the dealer's PUF. The actual shares for the threshold system are recovered only given both the challenge-helper pair and access to the PUF, which regenerates the share from the challenge-helper pair. As each share is worthless without access to the PUF, an adversary can compromise all of the end devices, and yet is unable to recover the secret without access to the PUF. No cryptographic operations are possible over these pseudo-shares. The shared secret may only be recovered if all of the shares are regenerated, and the dealer is assumed to be incorruptible. The dealer's PUF is used only as a method for obfuscating the shares that are distributed to players.